Re: Trust and distrust [was: Re: Google releases beta OpenPGP code]
some ideas that would help a distrustful person such as myself before addressing your mistrust question --- I wish that there was a standard API for low level encryption JS libraries.. Not only so that I could swap them in OpenPGPJS on a whim. But so that I could also swap them in my code as well, without writing the glue. I wish there was a standard for the random number generators. So that I could easily swap out, and ALSO, use a fake number generator to test that different implementations of PGP create *exactly* the same results. I then I wish there was a standard API for PGP. So that when the google code comes out I could swap as I wish. Test one against the other. Use the fake number generator and fake timestamps to verify that the resulting output is *exactly* the same in hundreds of test cases. And then code coverage. I wish there were statistics published about code coverage. If there is 100% code coverage and the output of two PGP implementations is the same. It gives me a much higher I trust this code doesn't have an insert somewhere, than just well the results were the same for the test cases I have. Swapping + code-coverage + exactly same results + disparate code bases with maintainers who don't look at the other code base (and possibly distrust the other coding group) = more trust from me. --- begin response to distrust, which I've tried not to make emotionally bated, but really I would just ignore this section --- I'm not exactly sure if this list is an appropriate place for me to state my reasons for distrusting google. Find the congressional testimony by google about what they were doing in china, especially the auto censoring. That was my moment where I realized the google that I had hoped for had nothing to do with the google it transformed into. In terms of just plain security. I will say that I also do not trust OpenPGPJs. But in a different way. After that china testimony I didn't trust google to put people before governments. And unfortunately I feel as if my fears have been proven correct. Since google controls chrome-- a plugin by google designed to thwart google, running within google's chrome?? U.. Not sure... If I were an adversary that could force google to do something I wanted, I would make them take screensots of anybody using this plugin, and send them to me. -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
I hope the two code bases can create a common API. It would be really useful to be able to test one against the other. I have to say that the OpenPGPJs developers have been quite responsive to the bugs I've been raising. I personally think their project is a gold mine. And personally, I do not trust google. Enough said in that regard. ;-) Anyhow, with regard to, Most people value the ability to access their messages from anywhere, using webmail, and won't want to have to carry their private keys with them. I've been working on such a project. Little by little. If you'd care to help, feel free to hack/clone/steal/whatever. The project is designed so that, you can create your own css file and make it look like google or whatever. You can find it here: https://github.com/timprepscius/mv With a test site here:http://pmx.mooo.com (I haven't optimized the js files into one [will eventually do], so allow much time to load) -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Trust and distrust [was: Re: Google releases beta OpenPGP code]
On Sun, Jun 08, 2014 at 01:13:27PM -0400, t...@piratemail.se wrote: And personally, I do not trust google. Enough said in that regard. ;-) Sorry to hijack this topic, but... Why would you trust the OpenPGP.js developers? At least, you can hold google as accountable for their actions. You cannot for them: perhaps they do not even physically exist, and are just nameholders for a three-letter-agency project, willingly introducing backdoors in this project. Maybe they just fixed the bugs you reported because it made them look less conspicuous. Maybe will bring us all very far away. What's great about open source is that you do not at all have to trust the maintainer of a project. You only have to trust the project -- and by this I mean the fact that at least a developer will have noticed the flaw. I may even distrust Werner, and yet use gpg -- if e.g. I trust another gnupg developer. And even this trust is not strictly required: you can always inspect the source code all by yourself. Sure, this model of trust the community is far from perfect, heartbleed being the latest proof of that. But it is better than trust the maintainer, who is always part of the community. And what's great about google's project is that they are quite likely to be highly audited: if anyone found a willingly placed security flaw in google's end-to-end library, it would mean a lot of prestige. So, even if I trusted google less than OpenPGP.js developers [and who tells us these developers are not disguised google agents?], I would likely, after a period during which security experts will have had their time with this new library, trust it more than OpenPGP.js. Despite the fact that it might have a backdoor while the other does not. Because the opposite is even more likely. Cheers, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 04-06-2014 4:32, Werner Koch escribió: On Wed, 4 Jun 2014 04:43, ds...@jabberwocky.com said: I haven't looked at the fine details yet, but on the surface it seems like they're aiming at Gmail (mainly, but not solely). Interesting. This is in contrast to a recent online article in the German c't magazine [1] where the author claims that Google would cannibalize their own business model if they offer end-to-end encryption. Apple on the other hand can afford the luxury of encrypted chats because their revenue stream is not alone based on advertising. I have the feeling about Google doesn't care if a small percentage of users avoid the business model. As an example, since I made my first gmail account (at that time you needed an invitation to make an account, and people only had 6 invitations to send), I've been using my account through POP3/SMTP, so I never see the advertisement. Of course, when I got my 6 invitations, I sent them to other friends, and none of them use Thunderbird or equivalent, so google lost the advertisement I don't see, but got other 6 people that see it... I guess they bet it will be the same with OpenPGP. Most people value the ability to access their messages from anywhere, using webmail, and won't want to have to carry their private keys with them. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTk65cAAoJEMV4f6PvczxAZjgH/3PxixC9U7mhHydMvho9Jlcj o2YZ7WLkwcthXF9XEhMjtNQFUCz3WsCb4NhveVv3MZjlpYkZ78te0yOWQ7jDoxNr I5ggxidGzEmB89WiTbKeUu6rY+rhuExPvIHVICOJf6z3Pz/lRZNIWtLbuVzwy/yI 5FjP/56NSwk1bjH4Cr6HyLD0cWt95JfFwD0980c/1qBbMDwniJLzppLvWCeIvMaF 6qOAl7SapGjKPrymNeo4Objus8qmfyVt/78Pp4se4cpcfuP8BZP6LlWSZvmmC419 Su1KXkOzZHne9rz9gmK4DpcoQ5rnw1EC3wbC/HLA7WjzWNcmQcFmA1YX1mfoeHQ= =a3We -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
On Thu, 5 Jun 2014 01:34, harni...@gmail.com said: With Chrome's relatively new native-messaging-api system, it wouldn't be terribly hard to spawn off external processes to do gpg work. You just have to implement a JSON messaging api between an extension and platform-specific executable. Actually something which one could add to gpgme-tool or a new tool which uses gpgme's UI-server concept. Are Unix domain sockets or TCP connections to 127.0.0.1 possible with that native-messaging-api? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
* on the Wed, Jun 04, 2014 at 06:36:40PM -0400, a k'wala wrote: Good that Google has released the source. Hope to see the implementation compared to OpenPGP.js. One of the developers of the crypto library behind this End-To-End extension said some pretty damning things about the state of OpenPGP.js source code yesterday: https://news.ycombinator.com/item?id=7843297 -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
On Wed, Jun 04, 2014 at 06:36:40PM -0400, a k'wala wrote: Good that Google has released the source. Hope to see the implementation compared to OpenPGP.js. Both End-to-End and OpenPGP.js have starting entries at http://wiki.gnupg.org/OtherFreeSoftwareOpenPGP Please add further facts, so this page help us all to keep the overview. :) Bernhard pgpvHLlNK7ZLf.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG for the web (Re: Google releases beta OpenPGP code)
On Wed, Jun 04, 2014 at 06:59:57PM -0400, a k'wala wrote: On 06/04/2014 08:45 AM, Ciprian Dorin Craciun wrote: Personally I won't use any browser plugin that operates on cryptographic material inside it's own process. Instead I would expect it to delegate such operations to something similar to the GnuPG agent. I happened to come across one that uses an external gpg binary: http://thinkst.com/tools/cr-gpg/. It's last release was an alpha in 2012. I've added cr-gpg to http://wiki.gnupg.org/PlatformNotes (it will probably move to a separate page sooner or later) You will also find a link to WebPG there. pgpU_KgJKgI5A.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
On Wed, 4 Jun 2014 04:43, ds...@jabberwocky.com said: I haven't looked at the fine details yet, but on the surface it seems like they're aiming at Gmail (mainly, but not solely). Interesting. This is in contrast to a recent online article in the German c't magazine [1] where the author claims that Google would cannibalize their own business model if they offer end-to-end encryption. Apple on the other hand can afford the luxury of encrypted chats because their revenue stream is not alone based on advertising. Maybe Google now fears that users move away from Gmail and to mitigate that they provide end-to-end so that they still have access to their user's traffic pattern. Shalom-Salam, Werner [1] http://www.heise.de/security/artikel/Warum-Google-uns-echte-Verschluesselung-verweigert-2191797.html -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
++ 04/06/14 10:32 +0200 - Werner Koch: I haven't looked at the fine details yet, but on the surface it seems like they're aiming at Gmail (mainly, but not solely). Interesting. This is in contrast to a recent online article in the German c't magazine [1] where the author claims that Google would cannibalize their own business model if they offer end-to-end encryption. Apple on the other hand can afford the luxury of encrypted A few additional remarks: - Google talks about a limited group of users in their annoucement: [...] will probably only be used for very sensitive messages or by those who need added protection. [...] will make it quicker and easier for people to get that extra layer of security should they need it. If they do not make a larger effort, the use of this plugin will remain limited (and Google will not cannibalize their own business model and still can make a good impression). - As Google already mentions: this type of encryption has been around for quite a while but hasn't been picked up by the general public due to the difficulties in creating a useful, secure and user friendly user interfaces. Google still has this hurdle to take. -- Rejo Zenger E r...@zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl T @rejozenger | J r...@zenger.nl OpenPGP 1FBF 7B37 6537 68B1 2532 A4CB 0994 0946 21DB EFD4 XMPP OTR 271A 9186 AFBC 8124 18CF 4BE2 E000 E708 F811 5ACF pgpAw1Vnf82L_.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
On 04/06/2014 09:32, Werner Koch wrote: Maybe Google now fears that users move away from Gmail and to mitigate that they provide end-to-end so that they still have access to their user's traffic pattern. Oh perhaps they simply take the view that very few people will use it (sadly). It will give people the warm and fuzzies because it's there but few people who use Gmail will know why it's there or how to use it or bother to use it. -- Mark Rousell PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
On 06/04/2014 01:58 AM, Mark Rousell wrote: On 04/06/2014 09:32, Werner Koch wrote: Maybe Google now fears that users move away from Gmail and to mitigate that they provide end-to-end so that they still have access to their user's traffic pattern. Oh perhaps they simply take the view that very few people will use it (sadly). It will give people the warm and fuzzies because it's there but few people who use Gmail will know why it's there or how to use it or bother to use it. That'd be my guess as well. Good PR + limited uptake == profit! Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
On Wed, Jun 4, 2014 at 11:58 AM, Mark Rousell ma...@signal100.com wrote: On 04/06/2014 09:32, Werner Koch wrote: Maybe Google now fears that users move away from Gmail and to mitigate that they provide end-to-end so that they still have access to their user's traffic pattern. Oh perhaps they simply take the view that very few people will use it (sadly). It will give people the warm and fuzzies because it's there but few people who use Gmail will know why it's there or how to use it or bother to use it. Although I find such a plugin welcomed --- at least for trying to bridge PGP-based security to the browser, like the defunct Firefox GnuPG plugin did a few years ago --- I also think that the purpose of such a tool is limited to either public education (getting them used to the idea of better privacy), experimentation (being written solely in JavaScript), or in the worst case marketing. (Though I'm sure its developers have only the best in mind.) The reason I'm stating this is based solely on what they write on the project's page [1] regarding to the security of the solution, it's threat-model, implementation, etc. For example looking at the section How safe are private keys in memory?: Please note that enabling Chrome’s Automatically send usage statistics and crash reports to Google means that, in the event of a crash, parts of memory containing private key material might be sent to Google. Personally I won't use any browser plugin that operates on cryptographic material inside it's own process. Instead I would expect it to delegate such operations to something similar to the GnuPG agent. However I would love to see again a Firefox GnuPG plugin, Ciprian. [1] https://code.google.com/p/end-to-end/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
On Jun 4, 2014, at 4:32 AM, Werner Koch w...@gnupg.org wrote: On Wed, 4 Jun 2014 04:43, ds...@jabberwocky.com said: I haven't looked at the fine details yet, but on the surface it seems like they're aiming at Gmail (mainly, but not solely). Interesting. This is in contrast to a recent online article in the German c't magazine [1] where the author claims that Google would cannibalize their own business model if they offer end-to-end encryption. Apple on the other hand can afford the luxury of encrypted chats because their revenue stream is not alone based on advertising. Maybe Google now fears that users move away from Gmail and to mitigate that they provide end-to-end so that they still have access to their user's traffic pattern. If we look at it cynically, I think this is a win-win for Google. They get a lot of good press about increasing user security for nearly no cost to their business model. This still requires manual steps to encrypt which pretty much rules it out for the overwhelming majority of users, and like you say, even for those relatively few users who start encrypting, Google still has access to traffic patterns. I don't think they're being that cynical though. The code is real, and presumably does what it is described to do. It's not a complete solution (which for me would be automating it somehow), but it's a nice step. And this is an 800 pound gorilla throwing some more weight behind encryption in general and OpenPGP in particular. I'm quite pleased to see this. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
I have read the article too but I have to disagree. People using gmail will probably be logged in their google account all (most of the) the time. So google knows what they're searching, watching, listen to music, what the are talking about(g+) and so on. I think google has so massive data about their users that scanning emails as another source just isn't mission critical any longer. Probably they also know whats going on on facebook and twitter by their omnipresent google ads. IIRC google doesn't scan cooporate mails and students mail (if the school or university participates in googles programs) because of data protection issues, at least in europe. I think google offering PGP is VERY interesting for several reasons: - it'll integrate seamless in gmail, so no issues with plugins getting shut down or incompatible by some changes - people maybe get used to encryption, so no more or less i can't open the strange attachment you sent me - they will probably find a convenient solution to integrate it on smartphones, more and more (young) people don't use classic PCs at all - i think some people at google are really angry about the 3-letter-agencies. see: http://www.techdirt.com/articles/20131106/00235225143/pissed-off-google-security-guys-issue-fu-to-nsa-announce-data-center-traffic-now-encrypted.shtml To be clear: There are of course a lot pitfalls storing keys somewhere in the browser etc. but its definitely a interesting development. regards Daniel Am 04.06.2014 10:32, schrieb Werner Koch: On Wed, 4 Jun 2014 04:43, ds...@jabberwocky.com said: I haven't looked at the fine details yet, but on the surface it seems like they're aiming at Gmail (mainly, but not solely). Interesting. This is in contrast to a recent online article in the German c't magazine [1] where the author claims that Google would cannibalize their own business model if they offer end-to-end encryption. Apple on the other hand can afford the luxury of encrypted chats because their revenue stream is not alone based on advertising. Maybe Google now fears that users move away from Gmail and to mitigate that they provide end-to-end so that they still have access to their user's traffic pattern. Shalom-Salam, Werner [1] http://www.heise.de/security/artikel/Warum-Google-uns-echte-Verschluesselung-verweigert-2191797.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
++ 04/06/14 19:16 +0200 - Suspekt: IIRC google doesn't scan cooporate mails and students mail (if the school or university participates in googles programs) because of data protection issues, at least in europe. No. Google announced it will no longer do content scanning for advertising purposes in Apps for Education. Please take special note of the for advertising purposses and for Education. -- Rejo Zenger E r...@zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl T @rejozenger | J r...@zenger.nl OpenPGP 1FBF 7B37 6537 68B1 2532 A4CB 0994 0946 21DB EFD4 XMPP OTR 271A 9186 AFBC 8124 18CF 4BE2 E000 E708 F811 5ACF pgpcvecCtLO8P.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
On 06/04/2014 08:45 AM, Ciprian Dorin Craciun wrote: Personally I won't use any browser plugin that operates on cryptographic material inside it's own process. Instead I would expect it to delegate such operations to something similar to the GnuPG agent. I happened to come across one that uses an external gpg binary: http://thinkst.com/tools/cr-gpg/. It's last release was an alpha in 2012. aslamK PGP key http://is.gd/aslampgpmit fingerprint: 736C D83E 32DB A2FD 0208 9113 0FC8 BA7D FECF 84FB signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
With Chrome's relatively new native-messaging-api system, it wouldn't be terribly hard to spawn off external processes to do gpg work. You just have to implement a JSON messaging api between an extension and platform-specific executable. On Jun 4, 2014 7:31 PM, a k'wala akw...@gmail.com wrote: On 06/04/2014 08:45 AM, Ciprian Dorin Craciun wrote: Personally I won't use any browser plugin that operates on cryptographic material inside it's own process. Instead I would expect it to delegate such operations to something similar to the GnuPG agent. I happened to come across one that uses an external gpg binary: http://thinkst.com/tools/cr-gpg/. It's last release was an alpha in 2012. aslamK PGP key http://is.gd/aslampgpmit fingerprint: 736C D83E 32DB A2FD 0208 9113 0FC8 BA7D FECF 84FB ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
On 06/03/2014 10:43 PM, David Shaw wrote: Likely of interest to this group: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html Briefly, it's a Chrome extension for doing OpenPGP. It can import and use RSA keys generated elsewhere, but only has code to generate ECC keys internally. I haven't looked at the fine details yet, but on the surface it seems like they're aiming at Gmail (mainly, but not solely). David Good that Google has released the source. Hope to see the implementation compared to OpenPGP.js. -aslamK PGP key http://is.gd/aslampgpmit fingerprint: 736C D83E 32DB A2FD 0208 9113 0FC8 BA7D FECF 84FB signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Google releases beta OpenPGP code
Likely of interest to this group: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html Briefly, it's a Chrome extension for doing OpenPGP. It can import and use RSA keys generated elsewhere, but only has code to generate ECC keys internally. I haven't looked at the fine details yet, but on the surface it seems like they're aiming at Gmail (mainly, but not solely). David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users